Tamper-proof electronic packages with stressed glass component substrate(s)

ABSTRACT

Tamper-proof electronic packages and fabrication methods are provided which include a glass substrate. The glass substrate is stressed glass with a compressively-stressed surface layer. Further, one or more electronic components are secured to the glass substrate within a secure volume of the tamper-proof electronic package. In operation, the glass substrate is configured to fragment with an attempted intrusion event into the electronic package, and the fragmenting of the glass substrate also fragments the electronic component(s) secured to the glass substrate, thereby destroying the electronic component(s). In certain implementations, the glass substrate has undergone ion-exchange processing to provide the stressed glass. Further, the electronic package may include an enclosure, and the glass substrate may be located within the secure volume separate from the enclosure, or alternatively, the enclosure may be a stressed glass enclosure, an inner surface of which is the glass substrate for the electronic component(s).

BACKGROUND

Many activities require secure electronic communications. To facilitatesecure electronic communications, an encryption/decryption system may beimplemented on an electronic assembly or printed circuit board assemblythat is included in equipment connected to a communications network.Such an electronic assembly is an enticing target for malefactors sinceit may contain codes or keys to decrypt intercepted messages, or toencode fraudulent messages. To prevent this, an electronic assembly maybe mounted in an enclosure, which is then wrapped in a security sensorand encapsulated with polyurethane resin. A security sensor may be, inone or more embodiments, a web or sheet of insulating material withcircuit elements, such as closely-spaced, conductive lines fabricated onit. The circuit elements are disrupted if the sensor is torn, and thetear can be sensed in order to generate an alarm signal. The alarmsignal may be conveyed to a monitor circuit in order to reveal an attackon the integrity of the assembly. The alarm signal may also trigger anerasure of encryption/decryption keys stored within the electronicassembly.

SUMMARY

Provided herein, in one or more aspects, is a tamper-proof electronicpackage which includes: a glass substrate, the glass substrate includingstressed glass with a compressively-stressed surface layer; and at leastone electronic component secured to the glass substrate within a securevolume of the tamper-proof electronic package. Further, the tamper-proofelectronic package includes a glass enclosure that defines, least inpart, the secure volume. The glass enclosure includes stressed glasswith a compressively-stressed surface layer. The glass enclosureincludes the glass substrate, and at least one electronic component isadhesively coupled to an inner surface of the glass enclosure. Further,the glass enclosure is an upper glass enclosure, and the tamper-proofelectronic package also includes a base glass enclosure. The upper glassenclosure and the base glass enclosure being adhesively secured togetherto define the secure volume, with the base glass enclosure alsoincluding stressed glass with a compressively-stressed surface layer. Inoperation, the glass substrate fragments with an attempted intrusionevent into the tamper-proof electronic package, and the fragmenting ofthe glass substrate also fragments the at least one electronic componentsecured thereto, destroying the at least one electronic component.Additionally, the glass enclosure is an upper glass enclosure, and thetamper-proof electronic package further includes a base glass enclosure.The upper glass enclosure and the base glass enclosure are adhesivelysecured together to define the secure volume. The base glass enclosurealso includes stressed glass with a compressively-stressed surfacelayer.

In one or more other aspects, a fabrication method is provided whichincludes fabricating a tamper-proof electronic package. The fabricatingincludes: providing a glass substrate, the glass substrate comprisingstressed glass with a compressively-stressed surface layer; securing atleast one electronic component to the glass substrate, the glasssubstrate being within a secure volume of the tamper-proof electronicpackage, the at least one electronic component including an electronicmodule. Further, the fabricating includes providing a glass enclosuredefining, least in part, the secure volume. The glass enclosure includesstressed glass with a compressively-stressed surface layer. The glassenclosure includes the glass substrate, with at least one electroniccomponent being adhesively coupled to an inner surface of the glassenclosure. Further, the glass enclosure is an upper glass enclosure, andthe method further includes providing a base glass enclosure. The upperglass enclosure and the base glass enclosure being adhesively securedtogether to define the secure volume, and the base glass enclosure alsoincluding stressed glass with a compressively-stressed surface layer. Inoperation, the glass substrate fragments with an attempted intrusionevent into the secure volume of the tamper-proof electronic package, andthe fragmenting of the glass substrate also fragments the at least oneelectronic component secured thereto, destroying the at least oneelectronic component.

Additional features and advantages are realized through the techniquesof the present invention. Other embodiments and aspects of the inventionare described in detail herein and are considered a part of the claimedinvention.

BRIEF DESCRIPTION OF THE DRAWINGS

One or more aspects of the present invention are particularly pointedout and distinctly claimed as examples in the claims at the conclusionof the specification. The foregoing and other objects, features, andadvantages of the invention are apparent from the following detaileddescription taken in conjunction with the accompanying drawings inwhich:

FIG. 1 is a partial cut-away of one embodiment of a tamper-proofelectronic package;

FIG. 2A is a cross-sectional elevational view of another embodiment of atamper-proof electronic package, or tamper-respondent assembly, whichincludes (in part) a glass enclosure formed of stressed glass, and amulti-layer circuit board with an embedded tamper-respondent sensor, inaccordance with one or more aspects of the present invention;

FIG. 2B is a top plan view of the multilayer circuit board of FIG. 2A,depicting one embodiment of the secure volume where defined, in part,within the multilayer circuit board, in accordance with one or moreaspects of the present invention;

FIG. 3 is a partial cross-sectional elevational view of a more detailedembodiment of the tamper-proof electronic package of FIGS. 2A & 2Bcomprising (in part) a glass enclosure, and a multilayer circuit boardwith embedded tamper-respondent sensor, in accordance with one or moreaspects of the present invention;

FIG. 4 depicts one embodiment of a process of fabricating a multilayercircuit board with an embedded tamper-respondent sensor, in accordancewith one or more aspects of the present invention;

FIG. 5 depicts one embodiment of a tamper-proof electronic package, ortamper-respondent assembly, which includes (in part) a glass enclosureformed of stressed glass, and a tamper-respondent detector, inaccordance with one or more aspects of the present invention;

FIG. 6 depicts another embodiment of a tamper-proof electronic package,which includes (in part) a glass enclosure formed of stressed glass anda tamper-respondent detector, in accordance with one or more aspects ofthe present invention;

FIG. 7 depicts a further embodiment of a tamper-proof electronicpackage, which includes (in part) a glass enclosure assemblysubstantially fully enclosing one or more electronic components (such asa circuit board or card) to be protected, in accordance with one or moreaspects of the present invention;

FIG. 8A depicts another embodiment of a tamper-proof electronic packagecomprising (in part) a glass enclosure formed of stressed glass and atamper-respondent detector, in accordance with one or more aspects ofthe present invention;

FIG. 8B depicts a further embodiment of a tamper-proof electronicpackage including (in part) a glass enclosure formed of stressed glassand a tamper-respondent detector, in accordance with one or more aspectsof the present invention;

FIG. 8C is another embodiment of a tamper-proof electronic packagecomprising (in part) a glass enclosure formed of stressed glass and atamper-respondent detector, in accordance with one or more aspects ofthe present invention;

FIG. 8D depicts a further embodiment of a tamper-proof electronicpackage comprising (in part) a glass enclosure formed of stressed glassand an optical tamper-respondent detector, in accordance with one ormore aspects of the present invention;

FIG. 9 illustrates a further embodiment of a tamper-proof electronicpackage, which includes (in part) an electronic component mounted to aglass substrate within a secure volume of the tamper-proof electronicpackage, in accordance with one or more aspects of the presentinvention;

FIG. 10 depicts a further embodiment of a tamper-proof electronicpackage comprising (in part) an electronic component mounted to an innersurface of a glass enclosure formed of stressed glass, in accordancewith one or more aspects of the present invention; and

FIG. 11 depicts another embodiment of a tamper-proof electronic packageincluding (in part) an electronic component mounted to an inner surfaceof a glass enclosure assembly formed of stressed glass, in accordancewith one or more aspects of the present invention.

DETAILED DESCRIPTION

Aspects of the present invention and certain features, advantages, anddetails thereof, are explained more fully below with reference to thenon-limiting example(s) illustrated in the accompanying drawings.Descriptions of well-known materials, fabrication tools, processingtechniques, etc., are omitted so as not to unnecessarily obscure theinvention in detail. It should be understood, however, that the detaileddescription and the specific example(s), while indicating aspects of theinvention, are given by way of illustration only, and are not by way oflimitation. Various substitutions, modifications, additions, and/orarrangements, within the spirit and/or scope of the underlying inventiveconcepts will be apparent to those skilled in the art for thisdisclosure. Note further that reference is made below to the drawings,which are not drawn to scale for ease of understanding, wherein the samereference numbers used throughout different figures designate the sameor similar components. Also, note that numerous inventive aspects andfeatures are disclosed herein, and unless otherwise inconsistent, eachdisclosed aspect or feature is combinable with any other disclosedaspect or feature as desired for a particular application, for instance,for establishing a secure volume about an electronic component(s) orelectronic assembly to be protected.

Reference is first made to FIG. 1 of the drawings, which illustrates oneapproach for an electronic package 100 configured as a tamper-proofelectronic package for purposes of discussion. In the depictedembodiment, an electronic assembly enclosure 110 is provided containing,for instance, an electronic assembly, which in one embodiment mayinclude a plurality of electronic components, such as an encryptionand/or decryption module and associated memory. The encryption and/ordecryption module may comprise security-sensitive information with, forinstance, access to the information stored in the module requiring useof a variable key, and with the nature of the key being stored in theassociated memory within the enclosure.

In one or more implementations, a tamper-proof electronic package suchas depicted is configured or arranged to detect attempts to tamper-withor penetrate into electronic assembly enclosure 110. Accordingly,electronic assembly enclosure 110 also includes, for instance, a monitorcircuit which, if tampering is detected, activates an erase circuit toerase information stored within the associated memory, as well as theencryption and/or decryption module within the communications card.These components may be mounted on, and interconnected by, a multilayercircuit board, such as a printed circuit board or other multilayersubstrate, and be internally or externally powered via a power supplyprovided within the electronic assembly enclosure.

In the embodiment illustrated, and as one example only, electronicassembly enclosure 110 may be surrounded by a tamper-respondent sensor120, an encapsulant 130, and an outer, thermally conductive enclosure140. In one or more implementations, tamper-respondent sensor 120 mayinclude a tamper-respondent laminate that is folded around electronicassembly enclosure 110, and encapsulant 130 may be provided in the formof a molding. Tamper-respondent sensor 120 may include various detectionlayers, which are monitored through, for instance, a ribbon cable by theenclosure monitor, against sudden violent attempts to penetrateenclosure 110 and damage the enclosure monitor or erase circuit, beforeinformation can be erased from the encryption module. Thetamper-respondent sensor may be, for example, any such articlecommercially available or described in various publications and issuedpatents, or any enhanced article such as disclosed herein.

By way of example, tamper-respondent sensor 120 may be formed as atamper-respondent laminate comprising a number of separate layers with,for instance, an outermost lamination-respondent layer including amatrix of, for example, diagonally-extending or sinusoidally-extending,conductive or semi-conductive lines printed onto a regular, thininsulating film. The matrix of lines forms a number of continuousconductors which would be broken if attempts are made to penetrate thefilm. The lines may be formed, for instance, by printing carbon-loadedPolymer Thick Film (PTF) ink onto the film and selectively connectingthe lines on each side, by conductive vias, near the edges of the film.Connections between the lines and an enclosure monitor of thecommunications card may be provided via, for instance, one or moreribbon cables. The ribbon cable itself may be formed of lines ofconductive ink printed onto an extension of the film, if desired.Connections between the matrix and the ribbon cable may be made viaconnectors formed on one edge of the film. As noted, the laminate may bewrapped around the electronic assembly enclosure to define thetamper-respondent sensor 120 surrounding enclosure 110.

In one or more implementations, the various elements of the laminate maybe adhered together and wrapped around enclosure 110, in a similarmanner to gift-wrapping a parcel, to define the tamper-respondent sensorshape 120. The assembly may be placed in a mold which is then filledwith, for instance, cold-pour polyurethane, and the polyurethane may becured and hardened to form an encapsulant 130. The encapsulant may, inone or more embodiments, completely surround the tamper-respondentsensor 120 and enclosure 110, and thus form a complete environmentalseal, protecting the interior of the enclosure. The hardenedpolyurethane is resilient and increases robustness of the electronicpackage in normal use. Outer, thermally conductive enclosure 140 mayoptionally be provided over encapsulant 130 to, for instance, providefurther structural rigidity to the electronic package.

When considering tamper-proof packaging, the electronic package needs tomaintain defined tamper-proof requirements, such as those set forth inthe National Institutes of Standards and Technology (NIST) PublicationFIPS 140-2, which is a U.S. Government Computer Security Standard, usedto accredit cryptographic modules. The NIST FIPS 140-2 defines fourlevels of security, named Level 1 to Level 4, with Security Level 1providing the lowest level of security, and Security Level 4 providingthe highest level of security. At Security Level 4, physical securitymechanisms are provided to establish a complete envelope of protectionaround the cryptographic module, with the intent of detecting andresponding to any unauthorized attempt at physical access. Penetrationof the cryptographic module enclosure from any direction has a very highprobability of being detected, resulting in the immediate zeroization ofall plain text critical security parameters (CSPs). Security Level 4cryptographic modules are useful for operation in physically unprotectedenvironments.

To address the demands for ever-improving anti-intrusion technology, andthe higher-performance encryption/decryption functions being provided,enhancements to the tamper-proof, tamper-evident packaging for theelectronic component(s) or assembly at issue are desired.

Numerous enhancements are described hereinbelow to, for instance,tamper-proof electronic packages and tamper-respondent sensors. Notethat the numerous inventive aspects described herein may be used singly,or in any desired combination. Additionally, in one or moreimplementations, the enhancements to tamper-proof electronic packagingdescribed herein may be provided to work within defined spacelimitations for existing packages. For instance, one or more of theconcepts described may be configured to work with peripheral componentinterconnect express (PCIe) size limits.

Disclosed hereinbelow with reference to FIGS. 2A-11 are variousapproaches and/or enhancements to creating, for instance, a securevolume for accommodating one or more electronic components, such as oneor more encryption and/or decryption modules and associated componentsof, for instance, a communications card or other electronic assembly tobe protected.

FIGS. 2A & 2B depict one embodiment of a tamper-proof electronic package200, or tamper-respondent assembly, which comprises one or moreelectronic components, such as a circuit 215 and/or electronic devices(or elements) 202 to be protected, in accordance with one or morefurther aspects of the present invention.

Referring collectively to FIGS. 2A & 2B, circuit 215 resides on or isembedded within a multilayer circuit board 210, which also has anembedded tamper-respondent sensor 211 that facilitates defining, inpart, a secure volume 201 associated with multilayer circuit board 210that (in one or more embodiments) extends into multilayer circuit board210. In particular, in the embodiment of FIGS. 2A & 2B, secure volume201 may exist partially within multilayer circuit board 210, andpartially above multilayer circuit board 210. One or more electronicdevices 202 are mounted to multilayer circuit board 210 within securevolume 201 and may comprise, for instance, one or more encryptionmodules and/or decryption modules, and/or associated components, to beprotected within the tamper-proof electronic package. In one or moreimplementations, the one or more electronic components to be protectedmay comprise, for instance, a secure communications card of a computersystem.

Tamper-proof electronic package 200 further includes a glass enclosure220, such as a pedestal-type, stressed glass enclosure, mounted tomultilayer circuit board 210 within, for instance, a continuous groove(or trench) 212 formed within an upper surface of multilayer circuitboard 210, and secured to the multilayer circuit board 210 via, forinstance, a structural adhesive 217 disposed within continuous groove212. In one or more embodiments, glass enclosure 220 comprises stressedglass with a compressively-stressed surface layer, as described furtherbelow. A thermally conductive cap or cover 221 may overlie and couple toouter surfaces of glass enclosure 220, to operate as a heatsink forfacilitating cooling the one or more electronic components within thesecure volume. As described further below, a tamper-respondent detector(not shown) is also provided within the secure volume to monitor thestressed glass enclosure and identify a tamper intrusion event with, forinstance, fragmentation of the stressed glass. Together with thestressed glass, and the tamper-respondent detector, tamper-respondentsensor 211 embedded within multilayer circuit board 210 facilitatesdefining secure volume 201.

As depicted in FIG. 2B, one or more external circuit connection vias 213may be provided within multilayer circuit board 210 for electricallyconnecting to the one or more electronic components within secure volume201. These one or more external circuit connection vias 213 mayelectrically connect to one or more external signal lines or planes (notshown) embedded within multilayer circuit board 210 and extending, forinstance, into a secure base region of (or below) secure volume 201, asexplained further below. Electrical connections to and from securevolume 201 may be provided by coupling to such external signal lines orplanes within the multilayer circuit board 210.

As noted, secure volume 201 may be sized to house one or more electroniccomponents to be protected, and may be constructed to extend intomultilayer circuit board 210. In one or more implementations, multilayercircuit board 210 includes electrical interconnect within the securevolume 201 defined in the board, for instance, for electricallyconnecting one or more tamper-respondent layers of the embeddedtamper-respondent sensor 211 to associated monitor circuitry alsodisposed within secure volume 201, along with, for instance, one or moredaughter cards, such as memory DIMMs, PCIe cards, processor cards, etc.

Note that the packaging embodiment depicted in FIGS. 2A & 2B ispresented by way of example only. Other configurations of glassenclosure 220, or multilayer circuit board 210 may be employed, and/orother approaches to coupling glass enclosure 220 and multilayer circuitboard 210 may be used. For instance, in one or more alternateimplementations, glass enclosure 220 may be securely affixed to an uppersurface of multilayer circuit board 210 (without a continuous groove)using, for instance, a structural bonding material such as an epoxy orother adhesive.

By way of further example, FIG. 3 depicts a partial cross-sectionalelevational view of a more detailed embodiment of tamper-proofelectronic package 200, and in particular, of multilayer circuit board210, to which glass enclosure 220 is secured. In this configuration, theembedded tamper-respondent sensor includes multiple tamper-respondentlayers including, by way of example, at least one tamper-respondent mat(or base) layer 300, and at least one tamper-respondent frame 301. Inthe example depicted, two tamper-respondent mat layers 300 and twotamper-respondent frame 301 are illustrated, by way of example only. Thelower-most tamper-respondent mat layer 300 may be a continuous sense ordetect layer extending completely below the secure volume being definedwithin and/or above multilayer circuit board 210. One or bothtamper-respondent mat layers 300 below secure volume 201 may bepartitioned into multiple circuit zones. Within each tamper-respondentmat layer, or more particularly, within each circuit zone of eachtamper-respondent mat layer, multiple circuits or conductive traces maybe provided in any desired configuration. Further, the conductive traceswithin the tamper-respondent layers may be implemented as, for instance,a resistive layer.

As illustrated, one or more external signal lines or planes 305 mayenter secure volume 201 between, in one embodiment, twotamper-respondent mat layers 300, and then electrically connect upwardsinto the secure volume 201 through one or more conductive vias, arrangedin any desired location and pattern. In the configuration depicted, theone or more tamper-respondent frames 301 are disposed at least inside ofthe area defined by continuous groove 212 accommodating the base ofglass enclosure 220. Together with the tamper-respondent detectorassociated with glass enclosure 220, tamper-respondent frames 301, andtamper-respondent mat layers 300, define secure volume 201, whichextends, in part, into multilayer circuit board 210. With secure volume201 defined, in part, within multilayer circuit board 210, the externalsignal line(s) 305 may be securely electrically connected to, forinstance, the one or more electronic components mounted to, or of,multilayer circuit board 210 within secure volume 201. In addition,secure volume 201 may accommodate electrical interconnection of theconductive traces of the multiple tamper-respondent layers 300, 301, forinstance, via appropriate monitor circuitry.

Added security may be provided by extending tamper-respondent mat layers300 (and if desired, tamper-respondent frames 301) outward past theperiphery of glass enclosure 220. In this manner, a line of attack maybe made more difficult at the interface between glass enclosure 220 andmultilayer circuit board 210 since the attack would need to clear, forinstance, tamper-respondent mat layers 300, the glass enclosure 220, aswell as the tamper-respondent frames 301 of the embeddedtamper-respondent sensor.

Numerous variations on multilayer circuit board 210 of FIGS. 2A-2B arepossible. For instance, in one embodiment, the embeddedtamper-respondent sensor may include one or more tamper-respondent matlayers 300 and one or more tamper-respondent frames 301, such asdescribed above, and a tri-plate structure comprising one or moreexternal signal lines or layers sandwiched between an upper ground planeand a lower ground plane. In this configuration, high-speed transfer ofsignals to and from the secure volume, and in particular, to and fromthe one or more electronic components resident within the secure volume,would be facilitated.

Note also that, once within the secure volume is defined in part withinmultilayer circuit board 210, conductive vias within the secure volumebetween layers of multilayer circuit board 210 may be either aligned, oroffset, as desired, dependent upon the implementation. Alignment ofconductive vias may facilitate, for instance, providing a shortestconnection path, while offsetting conductive vias between layers mayfurther enhance security of the tamper-proof electronic package bymaking an attack into the secure volume through or around one or moretamper-respondent layers of the multiple tamper-respondent layers moredifficult.

The tamper-respondent layers of the embedded tamper-respondent sensorformed within the multilayer circuit board of the electronic circuit orelectronic package may include multiple conductive traces or linesformed between, for instance, respective sets of input and outputcontacts or vias at the trace termination points. Any pattern and anynumber of conductive traces or circuits may be employed in defining atamper-respondent layer or a tamper-respondent circuit zone within atamper-respondent layer. For instance, 4, 6, 8, etc., conductive tracesmay be formed in parallel (or otherwise) within a giventamper-respondent layer or circuit zone between the respective sets ofinput and output contacts to those conductive traces.

In one or more implementations, the multilayer circuit board may be amultilayer wiring board or printed circuit board formed, for instance,by building up the multiple layers of the board. FIG. 4 illustrates oneembodiment for forming and patterning a tamper-respondent layer withinsuch a multilayer circuit board.

As illustrated in FIG. 4, in one or more implementations, atamper-respondent layer, such as a tamper-respondent mat layer or atamper-respondent frame disclosed herein, may be formed by providing amaterial stack comprising, at least in part, a structural layer 401,such as a pre-preg (or pre-impregnated) material layer, a trace materiallayer 402 for use in defining the desired trace patterns, and anoverlying conductive material layer 403, to be patterned to defineconductive contacts or vias electrically connecting to the pattern oftraces being formed within the trace material layer 402, for instance,at trace terminal points. In one or more implementations, the tracematerial layer 402 may comprise nickel phosphorous (NiP), and theoverlying conductive layer 403 may comprise copper. Note that thesematerials are identified by way of example only, and that other traceand/or conductive materials may be used within the build-up 400.

A first photoresist 404 is provided over build-up 400, and patternedwith one or more openings 405, through which the overlying conductivelayer 403 may be etched. Depending on the materials employed, and theetch processes used, a second etch process may be desired to removeportions of trace material layer 402 to define the conductive traces ofthe subject tamper-respondent layer. First photoresist 404 may then beremoved, and a second photoresist 404′ is provided over the conductivelayer 403 features to remain, such as the input and output contacts.Exposed portions of conductive layer 403 are then etched, and the secondphotoresist 404′ may be removed, with any opening in the layer beingfilled, for instance, with an adhesive (or pre-preg) and a next build-uplayer is provided, as shown. Note that in this implementation, most ofoverlying conductive layer 403 is etched away, with only the conductivecontacts or vias remaining where desired, for instance, at the terminalpoints of the traces formed within the layer by the patterning of thetrace material layer 402. Note that any of a variety of materials may beemployed to form the conductive lines or traces within atamper-respondent layer. Nickel-phosphorous (NiP) is particularlyadvantageous as a material since it is resistant to contact by solder,or use of a conductive adhesive to bond to it, making it harder tobridge from one circuit or trace to the next during an attempt topenetrate into the protected secure volume of the electronic circuit.Other materials which could be employed include OhmegaPly®, offered byOhmega Technologies, Inc., of Culver City, Calif. (USA), or Ticer™,offered by Ticer Technologies of Chandler, Ariz. (USA).

The trace lines or circuits within the tamper-respondent layers, and inparticular, the tamper-respondent circuit zones, of the embeddedtamper-respondent sensor, along with the tamper-respondent detectormonitoring the glass enclosure, may be electrically connected to monitoror compare circuitry provided, for instance, within secure volume 201(FIG. 2A) of the tamper-proof electronic package. The monitor circuitrymay include various bridge or compare circuits, and conventional printedwiring board electrical interconnect inside secure volume 201 (FIG. 2A),for instance, located within the secure volume defined by thetamper-respondent frames 301 (FIG. 3), and the tamper-respondent matlayers 300 (FIG. 3).

Note that advantageously, different tamper-respondent circuit zones ondifferent tamper-respondent layers may be electrically interconnectedinto, for instance, the same comparator circuit, Wheatstone bridge, orsimilar monitor circuitry. Thus, any of a large number of interconnectconfigurations may be possible. For instance, if each of twotamper-respondent mat layers contains 30 tamper-respondent circuitzones, and each of two tamper-respondent frames contains 4tamper-respondent circuit zones, then, for instance, the resultant 68tamper-respondent circuit zones may be connected in any configurationwithin the secure volume to create the desired arrangement of circuitnetworks within the secure volume being monitored for changes inresistance or tampering. Note in this regard, that the power supply orbattery for the tamper-respondent sensor may be located external to thesecure volume, with the sensor being configured to trip and destroy anyprotected or critical data if the power supply or battery is tamperedwith.

As briefly noted, in one or more implementations, the tamper-proofelectronic packages disclosed herein may include (at least in part)stressed glass enclosure protection of the one or more electroniccomponents. The secure volume, for instance, secure volume 201 (FIG. 2A)may be defined in part by glass enclosure 220, as well as atamper-respondent detector monitoring, the glass enclosure. The glassenclosure may be fabricated of stressed glass, such that the stressedglass fragments (at least in part) with an attempted intrusion eventinto the secure volume such as, for instance, a mechanical or chemicalattack through the stressed glass. The tamper-respondent detectordetects the fragmentation of the stressed glass, and thus the tamperintrusion event. Once tampering is detected, the monitor circuitry mayactivate an erase circuit to erase information stored within, forinstance, associated memory, as well as any encryption and/or decryptionmodule within the secure volume. More generally, monitor circuitry couldactivate an erase circuit to erase any confidential information storedwithin the secure volume.

In one or more implementations, the glass enclosure may comprise ahighly stressed glass enclosure with a compressively-stressed surfacelayer. For instance, the glass enclosure may comprise a machined glassor molded (or cast) glass stressed using an ion exchange process,referred to herein as ion exchanged glass. Note also in this regard,that the stressed glass may be any friable glass or friable glassceramic, with stressed glass being used herein as inclusive of astressed glass ceramic. In one or more embodiments, thecompressively-stressed surface layer(s) may be compressively-stressed ortailored so that the stress glass fragments into, for instance, glassparticles less than 1000 μm in size, such as in a range of 100-1000 μmin size, with an attempted tamper intrusion event through the stressedglass. The fragmentation size of the glass particles may be tailored toensure that the tamper-respondent detector monitoring the glassenclosure senses the tamper intrusion event. For instance, thetamper-respondent detector may monitor structural integrity of thestressed glass via a sensor associated with the stressed glass, and thefragmentation size of the glass particles should be sufficient to, forinstance, break the sensor, and thereby signal the tamper event.

In one or more embodiments, the stressed glass of the glass enclosuremay be coated to provide, in part, opaqueness to the glass enclosure.For instance, one or more surfaces of the stressed glass, afterundergoing processing to stress the surfaces, may be coated to provideopaqueness to the glass enclosure. Alternatively, the glass enclosure,such as the compressively-stressed surface layer(s) of the enclosure,may be partially etched, for instance, after undergoing processing tostress the surface(s), thereby providing opaqueness to the glassenclosure.

The stressed glass may be, in one or more embodiments, a monolithicglass element configured to enclose, at least in part, the at least oneelectronic component within the secure volume. For instance, a machinedor molded, monolithic glass element could be formed to define amulti-sided glass structure, such as a five-sided glass enclosure. Themulti-sided glass structure could then be treated to compressivelystress the surfaces of the glass. For instance, ion-exchange processingcould be employed to provide a desired degree of compressive stressingon the surfaces or surface layers of the monolithic glass element. Inthis manner, the monolithic glass element is formed that comprisesstressed glass which defines multiple sides of the secure volume. Inanother embodiment, the glass enclosure could comprise a plurality ofstressed glass elements adhesively bonded together to form the glassenclosure, such as a multi-sided glass enclosure. Each stressed glasselement may comprise a respective, compressively-stressed surface layeror layers. For instance, with an ion-exchange process, any exposedsurface of a glass element may be treated to create the respective,compressively-stressed surface layer(s) of the stressed glass element.

As noted, in one or more embodiments, the tamper-respondent detectormonitors structural integrity of the stressed glass via one or moresensors associated with the stressed glass of the glass enclosure. Forinstance, the one or more sensors may comprise at least one conductorattached to or coating an inner surface of the stressed glass within thesecure volume. The at least one conductor may be sized, designed orconfigured to fragment with fragmentation of the stressed glass,thereby, for instance, open-circuiting the sensor and allowing monitorcircuitry of or associated with the detector to detect the tamperintrusion event. By way of example, the sensor(s) may comprise a thinconductive coating or a conductive trace on one or more inner surfacesof the stressed glass. Alternatively, the sensor(s) may monitor acapacitance or inductance of the stressed glass in monitoring structuralintegrity of the glass enclosure. In one or more other embodiments, thesensor(s) may monitor optical reflectance of the stressed glass orutilize the stressed glass as a waveguide in monitoring structuralintegrity of the glass enclosure. In such cases, one or more reflectivecoatings may be provided on or in association with the stressed glass ofthe glass enclosure to facilitate reflectance of an optical signalbetween, for instance, an optical emitter and one or more opticalreceivers disposed within the secure volume of the tamper-proofelectronic package.

In one or more other implementations, the glass enclosure may be anupper glass enclosure, and the tamper-proof electronic package may alsoinclude a base glass enclosure, with the upper glass enclosure and thebase glass enclosure being adhesively secured together (or to oppositesides of a circuit board), via, for instance, structural adhesive, todefine the secure volume accommodating the at least one electroniccomponent. In one or more embodiments, the base glass enclosure may alsocomprise stressed glass, with one or more compressively-stressed surfacelayers as described herein. In such embodiments, the electroniccomponent(s) to be protected within the secure volume may besubstantially 360° surrounded by a stressed glass assembly.

Note that in one or more embodiments, responsive to detecting anattempted intrusion event through the stressed glass, thetamper-respondent detector, which comprises the monitor circuitry withinthe secure volume, may signal an erase circuit to erase any confidentialinformation within the secure volume, such as a variable key of anencryption and/or decryption module, or other security sensitiveinformation disposed within the secure volume. This erasure ofinformation would occur automatically and commensurate with, forinstance, fragmentation of the stressed glass due to an intrusion event.

Before describing further exemplary tamper-proof electronic packages inaccordance with one or more aspects of the present invention, stressedglass materials and processings are discussed below.

Highly-stressed glass has been known to fragment into small pieces.There are several ways to create highly-stressed glass. For example,tempered glass is a type of highly-stressed glass that is made usingthermal treatments. Tempering the glass puts the outer surfaces of theglass into compression, and the inner portion of the glass into tension.

Another way to create highly-stressed glass is using chemicaltreatments, such as an ion-exchange process. A commonly usedion-exchange process for soda lime glass is a potassium and sodium(K/Na) ion-exchange process. Unstressed glass is submerged in a bathcontaining a potassium salt, typically potassium nitrate (KNO₃), at anelevated temperature. The sodium ions at the surface of the glass arereplaced by potassium ions from the potassium nitrate. Because thepotassium ions are roughly 30% larger than the sodium ions, the surfaceof the glass is put into a compressive state. The surface compression isbalanced by residual internal tensile stresses. The ion-exchange depthand the number of sodium ions replaced by potassium ions determines thecompressive layer depth and the magnitudes of the compressive andtensile stresses. The ion-exchanged depth is a diffusion-controlledprocess, modulated by time and temperature.

In material science, there has recently been work in controllingfragmentation characteristics of chemically strengthened glass.

The basic mechanism by which stressed glass fragmentation occurs hasonly recently been understood using the framework of fracture mechanics.The fragmentation phenomenon relies on glass having an interior regionin a highly tensile state contained within an exterior that iscompressively-stressed. If a flaw is introduced into the tensile regionof the glass, the glass experiences a large mode I crack driving forcedue to the release of strain energy from the stressed region. Thehigh-strain energy release rate causes a tensile crack to advancethrough the glass at speeds approaching the speed of sound. As the crackpropagates through the glass, it bifurcates due to the interactionbetween the stress field in front of the crack and stress waves. Themore often the crack bifurcates, the smaller the fragments will be.

The crack propagation may have two components. The crack may tunnelthrough the bulk of the material, and the crack may travel towards thesurface of the material. For chemically strengthened glass, the crackfront tunneling through the bulk of the material experiences a high, andmostly constant, crack driving force through the tensile region of thesubstrate. This allows it to propagate at a relatively steady velocity,close to the speed of sound, and allows it to branch and create anetwork of cracks in the tensile region of the substrate.

As used herein, the “fragmentation size” is a fragmentationcharacteristic pertaining to the width of the fragments of the glasssubstrate upon fracturing. The fragmentation size may be the average ofthe largest linear widths of the fragments created by the fracturing ofthe glass substrate. For example, a rectangular fragment of glass with afirst edge 250 microns wide, and a second edge 100 microns wide, willhave a fragment width of roughly 269 microns, because that is thelargest distance across a surface of the glass substrate, in this case,from corner to opposite corner. Fragmentation characteristics ofchemically strengthened glass can be controlled by altering the glass'sstress field. By altering the stress field within the glass, thefrequency of the crack bifurcation may be increased to cause the glassto fragment into smaller pieces. In particular, fragmentation size isdetermined by the ratio of the compressive layer (CL) stress to thetensile layer (TL) stress. There are certain constraints to thischaracterization when the compressive layer becomes too thick. To solvethat issue, larger ions, such as rubidium (Rb) may be used, along withthinner compressive layers formed, for instance, via shorter,higher-temperature anneals.

A “stress field” describes the magnitude and type of stress (e.g.,compressive, tensile) through a body, or through a region of a body. An“inhomogeneous stress field” is a stress field where the stresses withina material are not uniform. For example, a chemically strengthened glasssubstrate may have surfaces in compression, while the bulk of thematerial is in tension. The stress field for the chemically strengthenedglass substrate may be considered inhomogeneous because the stressesthrough the glass substrate are not the same.

By way of detailed example, studies of ion-exchange glass substrateshave mapped out the crack branch and behavior in certain commerciallyavailable glass substrates. The results show the dimension (x) of theglass fragments according to the following empirical relationship:

$\begin{matrix}{x = {\frac{K_{1}^{2}c}{\sigma_{t}^{2}}\left( {1 + v} \right)\frac{t}{\left( {{0.5\; t} - \delta} \right)}}} & (1)\end{matrix}$Where:

-   -   x=fragment size,    -   K_(1c)=toughness,    -   σ_(t)=tensile stress in the glass (the higher the tensile        stress, the larger the driving force),    -   t=thickness,    -   v=Poisson's ration (which is a constant for a given glass        composition, and is a measure of how much the glass part expands        (in compression) or contracts (in tension)), and    -   δ=ion exchange depth.

Based on this relationship, it would be expected that for a givensubstrate thickness, the fragment size should principally decrease withan increased ion exchange depth, and hence an increased ion exchangetime. That is, fragmentation or particle size will decrease with highertensile stress in the middle of the stressed glass layer, and adecreased glass thickness. Thus, in implementation, a balance needs tobe obtained between making the glass substrate too thin such that themiddle tensile layer becomes vanishing thin as well.

By way of example, an ion exchange process may be developed to achieve adesired glass fragmentation size using, for instance, a tube furnacewith a quartz tube and a PID controller. A stainless steel boat in thetube may be used to carry out the ion exchange. Glass plates may beplaced in salt melt in the boat during processing. If desired, astainless steel basket may be used inside the stainless steel boat tohandle very fragile thin glass plates.

The glass plates employed in forming the glass enclosure may be, forinstance, aluminosilicates available from Abrisa Technology, Inc. ofSanta Paula, Calif., USA. The glass plates may have a variety ofthicknesses. For instance, glass substrate thicknesses in a range of 0.5mm to 3 mm might be employed in forming the glass enclosure. Additionalgrinding and polishing may be carried out on untreated glass to reducethe thickness of the glass if a very thin glass substrate is desired fora particular application. By way of further example, machineablealuminosilicate glass may be obtained from Corning Glass through SwiftGlass Company of Elmira, N.Y., USA.

By way of specific example, in one or more embodiments, the glassenclosures described herein could comprise High Ion Exchange (HIE™),chemically strengthened glass, provided by Abrisa Technologies, of SantaPalo, Calif., USA. HIE™ glass is a thin, lightweight, aluminosilicateglass that is used in certain applications to achieve greater scratch,impact, and shock resistance.

Note also that, the glass enclosures described herein may have a finalwall thickness in the range of, for instance, 0.1-0.8 mm (100 to 800 μm)of an ion-exchangeable glass substrate, where the glass substrate hasbeen machined to its final dimensions, including rounded corners, priorto ion-exchanging in a suitable bath to allow for the compressive layerto be formed to an optimum thickness for a particular application,leaving a highly-tensile stressed core in the center of the glass.Final, fragmented particle size can be in a large range, provided thatthe fragmentation size is small enough to break the one or more sensorsof the tamper-respondent detector sufficiently to disable the sensor andthereby signal a tamper intrusion event. This range could be, forinstance, 100-1000 μm.

FIGS. 5-8D depict further exemplary tamper-proof electronic packages, inaccordance with one or more aspects of the present invention. Asdescribed below, in each implementation, a glass enclosure comprisingstressed glass is employed along with a tamper-respondent detector todetect fragmenting of the glass enclosure with an attempted intrusionevent through the stressed glass. As described herein, with detectingfragmenting of a stressed glass enclosure, an erase circuit may beactivated to erase confidential information stored within the securememory.

Referring to FIG. 5, a tamper-proof electronic package 500 is depictedwhich comprises, by way of example, a glass enclosure 220 formed of aplurality of stressed glass elements 520 adhesively bonded together. Inthis example, each stressed glass element 520 includes one or morerespective, compressively-stressed surface layers, and together theplurality of stressed glass elements 520 define multiple sides of securevolume 201. Stressed glass elements 520 may be adhesively securedtogether using, for instance, the same structural adhesive used insecuring glass enclosure 220 to, for instance, multilayer circuit board210. As one example, the structural adhesive may be, for instance,Henkel Loctite Hysol EA 9360 AERO epoxy adhesive, which adheres well toglass surfaces. As described above, multi-layer circuit board 210 maycomprise multiple embedded tamper-respondent sensors 300 within thecircuit board. Fabrication of multilayer circuit board 210 and provisionof embedded tamper-respondent sensors may be as described above inconnection with FIGS. 2A-4.

In the embodiment of FIG. 5, a tamper-respondent detector 505 isprovided comprising monitor circuitry 501 and multiple sensors 502. Eachsensor 502 is associated with a respective stressed glass element 520,with only two sensors 502 being depicted in FIG. 5 for clarity.Conductive lines may be provided coupling each sensor 502 to monitorcircuitry 501. Sensors 502 may be designed or configured to ensurefragmenting of the sensor with fragmenting of the attached stressedglass element 520.

In one or more implementations, each stressed glass element comprises,for instance, ion-exchange glass formed as described above. When theglass elements are assembled and adhesively secured together as depictedin FIG. 5, they form glass enclosure 220 enclosing the at least oneelectronic component, such as electronic devices or elements 202 withinsecure volume 201 of tamper-proof electronic package 500. The sensors502 may be formed as conductive or resistive elements, of any desiredmaterial, and (in one or more embodiments) be sufficiently thin tofragment with fragmenting of the attached stressed glass element 520.Monitor circuitry 501 may comprise or be coupled to an erase circuitwhich automatically erases confidential information stored within securevolume 201 with fragmenting of one or more of the stressed glasselements 520.

Note with respect to tamper-proof electronic package 500 of FIG. 5, thatglass enclosure 220 may be bonded to an upper surface of multilayeredcircuit board 210 without, for instance, residing within a continuousgroove such as that described above in connection with the embodiment ofFIGS. 2A-3. The structural adhesive noted above bonds tenaciously toboth the glass and the multilayer circuit board, and advantageouslyresults in the glass fracturing or the multilayer circuit board tearingupon an attempt to breach the enclosure through the structural adhesive.Note that in one or more implementations, depending upon thefragmentation process, or stressed glass elements used, fewer sensors502 may be employed in association with glass enclosure 220. Forinstance, it may be possible for fragmentation of one stressed glasselement 520 to be propagated to the other stressed glass elements 520across the structural adhesive. Further, although depicted as assembledfrom five distinct stressed glass elements 520, less than five stressglass elements may be employed to form glass enclosure 220. Forinstance, two L-shaped glass elements could be brought together andadhesively secured, along with a top side glass element to produce themulti-sided glass enclosure depicted in FIG. 5. Note also that the shapeand size of sensors 502 may vary depending on the implementation. Forinstance, each sensor 502 could comprise one or more conductive lines,traces or coatings covering a portion or substantially all of the innersurface of the respective stressed glass element 520 within securevolume 201. Further, any desired material could be employed in formingsensor 502 or the conductive lines coupling each sensor 502 to monitorcircuitry 501 of the tamper-respondent detector 505.

FIG. 6 depicts an alternate embodiment of a tamper-proof electronicpackage 600, in accordance with one or more aspects of the presentinvention. In this embodiment, a glass enclosure 220′ is provided and,for instance, adhesively secured to an upper surface of multilayercircuit board 210. Multilayer circuit board 210 again includes embeddedtamper-respondent sensors 300 such as described above, and one or moreelectronic components, such as electronic devices or elements 202 aredisposed within the defined secure volume 201 of tamper-proof electronicpackage 600.

In this embodiment, glass enclosure 220′ is a monolithic glass elementcomprising a multi-sided glass structure defining multiple sides ofsecure volume 201. In this monolithic example, fewer sensors 502 may beemployed by the tamper-respondent detector 505 to monitor forfragmentation of glass enclosure 220′ since fragmentation of the entireelement would occur upon any attempt to penetrate the stressed glassfrom any direction, whether mechanically or chemically attacking thestressed glass, thereby triggering detection of the tamper event by themonitor circuitry 501. By way of example, a monolithic glass elementsuch as depicted in FIG. 6 could be molded (or cast) in the desiredshape, or formed from a single block of glass hollowed out, forinstance, by etching or other machining methods, to create a cavity thatallows for the glass enclosure to accommodate the one or more electroniccomponents to be protected within secure volume 201 between glassenclosure 220′ and multilayer circuit board 210.

Note that in both the multiple stressed glass elements embodiment ofFIG. 5 and the monolithic glass element embodiment of FIG. 6, thicknessof the stressed glass may be tailored to a desired substrate size for aparticular application and a particular desired fragmentation size offragmented glass pieces resulting from an attempted intrusion event.Additionally, opacity of the glass enclosure may be provided to, forinstance, prevent an intruder from having visibility into the securevolume of the tamper-proof electronic package. Possible coatings of theglass enclosure could include InSnOxide or a metal or metal alloycoating, such as aluminum, or an aluminum alloy. Alternatively, theglass enclosure, and more particularly, the stressed glass element(s) ofthe glass enclosure could be mildly etched (for instance, afterion-exchange processing of the glass) to make the glass enclosureopaque. Further, opacity may be provided in combination with any of thetamper-proof electronic packages discussed herein.

By way of example, FIG. 7-8D depict various alternate implementations ofa tamper-proof electronic package. In each implementation depicted,glass enclosure 220′ is assumed to comprise a monolithic glass element,by way of example only. In other implementations, multiple stressedglass elements may be adhesively secured together to form the glassenclosure, such as described above in connection with FIG. 5. As noted,with a monolithic implementation, tamper-respondent detector 505 mayinclude monitor circuitry 501 and a single sensor 502 associated withthe monolithic glass element. In one or more other implementations,multiple sensors 502 could be provided in association with the stressedglass element, for instance, on the same glass face or surface, or ondifferent glass faces of the element.

Referring to FIG. 7, another embodiment of tamper-proof electronicpackage 700 is shown, in accordance with one or more aspects of thepresent invention. In this embodiment, the multilayer circuit board 210of FIGS. 5 & 6 is replaced by, for instance, a base glass enclosure 701structurally adhesively bonded 702 to glass enclosure 220′, which inthis assembly is an upper glass enclosure. Together, the upper and lowerglass enclosures 220′, 701 substantially form a 360-degree glassenclosure about secure volume 201, accommodating the electroniccomponents to be protected. Base glass enclosure 701 may also comprisestressed glass, with one or more compressively-stressed surface layers,such as described herein. Note that the thickness of the upper and lowerglass enclosures 220′, 701 may be the same or different. Thetamper-respondent detector 505 includes monitor circuitry 501 andmultiple sensors 502, with one sensor 502 being associated with upperglass enclosure 220′, and in one or more embodiments, another sensor(not shown) being associated with base glass enclosures 701, such thatan attempted intrusion event through any portion of the tamper-proofelectronic package results in fragmentation of at least thecorresponding upper or base glass enclosure, and thereby detection ofthe tamper event to allow for one or more actions to be taken to protectany confidential information within secure volume 201.

Note that in addition to structural adhesive 702, tamper-proofelectronic package 700 may include one or more sensors such as exposedconductive lines or traces on one or both of the upper and base glassenclosures, for instance, where joined via the adhesive 702. Thus, anypulling apart of the adhesive would necessarily result in damage to theconductive trace(s) at the interface, and thereby, detection of anattempted intrusion event through the adhesive. Further, any of thetamper-proof electronic packages disclosed herein could similarly employone or more conductive traces at the interface between, for instance,the glass enclosure and the multilayer circuit board to further protectthe interface between the two structures against an undetected tamperevent.

In the example of FIG. 7, electrical signals may be provided into orfrom the secure volume via one or more signal lines 703 extendingthrough, for instance, specially configured exit portals of base glassenclosure 701. For instance, in one or more implementations, Z-shaped orother angled channels could be formed in base enclosure 701 throughwhich electrical signal lines 703 may pass. The angled channels areformed to provide a mechanically secure egress and ingress of electricalsignal lines 703 from and to secure volume 201.

FIG. 8A depicts another embodiment of a tamper-proof electronic package800, in accordance with one or more aspects of the present invention.This tamper-proof electronic package 800 is similar to that describedabove in connection with FIG. 6. For instance, the tamper-proofelectronic package 800 includes a glass enclosure 220′ which, in one ormore implementations, is a monolithic glass element that is structurallyadhesively secured to multilayer circuit board 210 having embeddedtamper-respondent sensors 300 disposed therein. Secure volume 201 isdefined by glass enclosure 220′ for accommodating one or more electroniccomponents, such as electronic devices or elements 202. In thisembodiment, tamper-respondent detector 505 includes monitor circuitry501 and a sensor coating 810 m which is provided on the inner surface ofthe monolithic glass element defining secure volume 201. This sensorcoating 810 may be, for instance, a conductive coating, such as a metalor metal alloy coating, and the detector 505 may include conductivetraces or lines to multiple locations of the conductive coating 810 toelectrically connect to and monitor the conductive coating, and thus themonolithic glass element, for fragmentation. Note in this regard thatthe coating may be sufficiently thin, such as 1000 Angstroms or less, sothat should the stressed glass substrate of glass enclosure 220′fragment due to an attempted tamper event, the coating will alsofragment with the glass pieces. Note also that as in the otherembodiments described herein, the glass enclosure 220′ comprisesstressed glass having one or more compressively-stressed surface layers.For instance, in one or more embodiments, both the inner surface and theouter surface of the monolithic glass element may becompressively-stressed.

FIG. 8B depicts another tamper-proof electronic package 801 similar tothat described in connection with FIG. 6, but with the addition of oneor more sensor lines 820 at the interface between glass enclosure 220′and multilayer circuit board 210. As discussed above, these sensor lines820 may be exposed conductive lines or traces on one or both sides ofglass enclosure 220′, for instance, about the periphery of the glassenclosure, between or adjacent to the interface of glass enclosure 220′and multilayer circuit board 210. In one or more implementations, sensorlines 820 would be covered by the structural adhesive securing glassenclosure 220′ to multilayer circuit board 210. Therefore, an attemptedmechanical or chemical attack at the adhesive would necessarily resultin damage to the conductive trace(s) 820 at the interface, and therebydetection of the attempted intrusion event through the adhesive.

As illustrated in FIG. 8B, tamper-respondent detector 505 may includeone or more conductive lines connecting monitor circuitry 501 to sensorline(s) 820, as well as conductive lines coupling one or more sensors502 to monitor circuitry 501. As noted, in one or more implementations,glass enclosure 220′ may be a monolithic glass element that isstructurally, adhesively secured to multilayer circuit board 210, whichhas embedded tamper-respondent sensors 300 disposed therein. Together,the tamper-respondent detector 505 and the embedded tamper-respondentsensors 300, which may also be electrically connected to monitorcircuitry 501, facilitate defining secure volume 201 accommodating theone or more electronic components, such as electronic devices orelements 202, to be protected.

FIGS. 8C & 8D depict tamper-proof electronic packages 802, 803,respectively, with alternate embodiments of tamper-respondent detectors505. These tamper-proof electronic packages 802, 803 of FIGS. 8C & 8Dare similar to the tamper-proof electronic package described above inconnection with FIG. 6.

Referring to FIG. 8C, a tamper-respondent detector 505 is illustratedcomprising monitor circuitry 501 and multiple conductive contacts orplates 830, 831. The conductive contacts or plates 830, 831 may bedisposed in various locations on the monolithic glass element of glassenclosure 220′. By way of example, conductive contact or plate 830 maybe located on an inner surface of the monolithic glass element, andconductive contact or plate 831 may be located on the outer surface ofthe monolithic glass element. In both cases, the conductive contact orplate may be a thin conductive plate or coating, on or attached to therespective surface of the monolithic glass element. Conductive lines areprovided from monitor circuitry 501 to the conductive contacts orelements 830, 831, and the tamper-respondent detector may monitor inthis configuration capacitance or inductance of the stressed glasselement. Should fragmentation of the stressed glass element occur, thenthe capacitance change between the contacts or plates 830, 831 would bedetected by the monitor circuitry, thereby detecting the attemptedintrusion event. In this regard, note that one or more circuit lines 835may extend through, for instance, specially-configured exit portals ofthe monolithic glass element, or the multilayer circuit board 210. Asdescribed above, in one or more implementations, Z-shaped or otherangled channels could be formed in the monolithic glass element throughwhich electrical signal lines 835 pass. The angled channelsadvantageously provide secure ingress and egress of electrical signallines to the secure volume 201, and in this case, to and from monitorcircuitry 501.

FIG. 8D depicts a further variation, wherein tamper-respondent detector505 comprises one or more optical emitters 840 and one or more opticaldetectors or receivers 841 for monitoring reflectance 842 of thestressed glass. As with other embodiments of tamper-proof electronicpackages disclosed herein, multiple optical emitters and detectors orreceivers 841 may be employed to monitor different portions of thestressed glass, particularly, for instance, in a configuration wheremultiple stressed glass elements are adhesively secured together to formthe glass enclosure. In the example of FIG. 8D, glass enclosure 220′ maycomprise a single monolithic glass element, as described above inconnection with FIG. 6. Together with multilayer circuit board 210,having embedded tamper-respondent sensors 300, glass enclosure 220′forms secure volume 201 within which one or more electronic components,such as one or more electronic devices or elements 202 may reside. Inthe tamper-proof electronic package 803 embodiment of FIG. 8D, monitorcircuitry 501 may monitor for change in reflectance 842, which mayindicate, for instance, fragmentation of the monolithic glass element.With fragmentation, reflectance 842 would, for instance, be lost, inwhich case the attempted tamper intrusion event would be detected by thetamper-respondent detector 505.

In an alternate embodiment, the tamper-respondent detector 505 couldutilize the glass enclosure as a waveguide, providing one or moreemitters and one or more optical detectors in association with an innersurface of the glass enclosure for transmitting and receiving an opticalsignal through the glass enclosure. Security may be further enhanced bymodulating the signal being transmitted through the glass enclosure toany desired pattern, for instance, with only the monitor circuitrywithin the secure volume of the tamper-proof electronic package knowingof the correct signal modulation for the optical signal passing throughthe glass enclosure.

As noted, in one or more embodiments, responsive to detecting anattempted intrusion event into the stressed glass, the tamper-respondentdetector signals an erase circuit to erase any confidential informationwithin the secure volume. This confidential information is typicallystored in volatile memory to allow for fast erasure of information upondetection of an attempted intrusion event. However, volatile memoryrequires a certain amount of battery power to maintain the volatilememory active, and allow for the fast erasing of confidentialinformation in the event of a tamper event. This requirement for batterypower to provide protection in the event of a tamper event complicatesthe tamper-proof electronic packaging design by requiring additionalpower as part of the design.

To address this, disclosed hereinbelow with reference to FIGS. 9-11 areexemplary alternative tamper-proof electronic packages which may beemployed in combination with, for instance, persistent memory, toadvantageously simplify the tamper-proof assembly, and reduce the needfor battery power within the assembly in the event of a tamper event.

To summarize, in one or more enhanced embodiments, a tamper-proofelectronic package in accordance with one or more aspects of the presentinvention may include a glass substrate which comprises stressed glasswith a compressively-stressed surface layer, and one or more electroniccomponents may be secured to the glass substrate within a secure volumeof the tamper-proof electronic package. Advantageously, the glasssubstrate fragments with an attempted intrusion event into thetamper-proof electronic package, and the fragmenting of the glasssubstrate also physically fragments the electronic component(s) securedto the glass substrate, thereby destroying the electronic component(s).Various configurations for accomplishing this are described below anddepicted, by way of example, in FIGS. 9-11.

Note that in one or more embodiments, the glass substrate may haveundergone ion-exchange processing to provide the stressed glass with thecompressively-stressed surface layer. In one or more implementations,the compressively-stressed surface layer of the stressed glass may becompressively stressed to ensure that the stressed glass fragments intoglass particles of fragmentation size less than 1000 μms with theattempted intrusion event. Further, the one or more electroniccomponents may be thinned to any desired thickness which ensuresfragmenting of the electronic component(s) with fragmenting of the glasssubstrate to which it is adhesively secured using, for instance, astructural adhesive.

As noted, in one or more implementations, the electronic component(s)secured to the glass substrate may comprise one or more memorycomponents, such as one or more persistent memory components adhesivelysecured to the glass substrate.

In one or more embodiments, the tamper-proof electronic package mayinclude an enclosure to define, at least in part, the secure volume.Further, a tamper-respondent detector may monitor for the attemptedintrusion event into the secure volume, and a fragmentation triggerelement may be provided secured to the glass substrate. When present,the fragmentation trigger element operates to trigger fragmentation ofthe glass substrate responsive to the tamper-respondent detectordetecting the attempted intrusion event into the secure volume.

In one or more implementations, the enclosure may be a glass enclosuredefining, at least in part, the secure volume, with the glass enclosurecomprising stressed glass with a compressively-stressed surface layer.For instance, the enclosure may comprise a plurality of stressed glasselements adhesively bonded together to form the enclosure, each stressedglass element comprising a respective, compressively-stressed surfacelayer, with the plurality of stressed glass elements defining multiplesides of the secure volume. In this implementation, one stressed glasselement of the plurality of stressed glass elements may comprise or bethe glass substrate, and the electronic component(s) and thefragmentation trigger element may both be secured to the one stressedglass element. In other implementations, the glass substrate may belocated within the secure volume, and be separate from the enclosure.Further, note that in these implementations, the enclosure may be otherthan a glass enclosure.

In one or more implementations, the tamper-proof electronic package mayinclude a glass enclosure which defines, at least in part, the securevolume. The glass enclosure may comprise stressed glass with acompressively-stressed surface layer, and the glass enclosure may be theglass substrate, with the electronic component(s) being adhesivelycoupled to an inner surface of the glass enclosure. By way of furtherexample, the package may include an upper glass enclosure, and a baseglass enclosure, with the upper glass enclosure and the base glassenclosure being adhesively secured together to define the secure volume,and both comprising stressed glass with a compressively-stressed surfacelayer. In such a configuration, the electronic component(s) may beadhesively secured to an inner surface of either enclosure.

Referring to FIG. 9, one embodiment of a tamper-proof electronicpackage, generally denoted 600′, is presented, which includes a stressedglass component substrate, in accordance with one or more aspects of thepresent invention. By way of example, tamper-proof electronic package600′ is similar to tamper-proof electronic package 600 described abovein connection with FIG. 6. In this embodiment, however, a glasssubstrate 900 is provided mounted, for instance, to a surface ofmultilayer circuit board 210 within secure volume 201. As noted above,glass enclosure 220′ is adhesively secured to an upper surface ofmultilayer circuit board 210, and multilayer circuit board includesembedded tamper-respondent sensors 300, as well as one or moreelectronic components, such as electronic devices or elements 202disposed within secure volume 201.

By way of example, glass enclosure 220′ may be a machined, monolithicglass element comprising a multi-sided glass structure defining multiplesides of secure volume 201. In this example, fewer sensors 502 may beemployed by tamper-respondent detector 505 to monitor for fragmentationof glass enclosure 220′, since fragmentation of the entire elementswould occur upon any attempt to penetrate the stressed glass from anydirection, whether mechanically or chemically attaching the stressedglass, thereby triggering detection of the tamper event by monitorcircuitry 501. As noted above, a monolithic glass element such asdepicted in FIG. 9 could be formed from a single block of glass beinghollowed out, for instance, by etching or other machining methods, tocreate a cavity that allows for the glass enclosure to accommodate theone or more electronic components to be protected within secure volume201 between, for instance, glass enclosure 220′ and multilayer circuitboard 210. As with the embodiments described above, opacity of the glassenclosure may be provided to, for instance, prevent an intruder fromhaving visibility into the secure volume of the tamper-proof electronicpackage.

As noted, as an enhancement, a separate glass substrate 900 may beprovided within secure volume 201. This glass substrate 900 may beformed of stressed glass with a compressively-stressed surface layer,such as described herein for the glass enclosures. Note also that,although depicted in combination with glass enclosure 220′, glasssubstrate 900 could be employed within the secure volume of any type oftamper-respondent assembly, irrespective of the type of enclosureemployed.

One or more electronic components 910, such as one or more memorycomponents, or more particularly, one or more persistent memorycomponents, may be adhesively secured to glass substrate 900. Further, afragmenting trigger element 912 may be secured to glass substrate 900.In operation, tamper-respondent detector 505 may detect an attemptedintrusion event into secure volume 201, and in response, monitorcircuitry 501 signals fragmenting trigger element 912 to fragment glasssubstrate 900. In one or more implementations, fragmenting triggerelement 912 may comprise an electromechanical element which initiatesfragmenting of the stressed glass substrate 900 with the tamper event.For instance, the electromechanical element could comprise a loadedspring which is released upon detection of a tamper event to push a nailinto glass substrate 900, causing the glass substrate to fragment.Alternatively, in one or more implementations, fragmenting triggerelement 912 may comprise a laser pointing at the glass substrate 900,which punctually heats the glass substrate to fragment upon detection ofa tamper event.

Note that as with the glass enclosure embodiments described above,thickness of stressed glass substrate 900 may be tailored to a desiredsize for a particular application and a particular desired fragmentationsize of fragmenting glass pieces resulting from the attempted tamperintrusion event.

Note also that electronic component(s) 910 adhesively bonded to glasssubstrate 900 may be thinned to a desired dimension to ensurefragmenting of electronic component(s) with fragmenting of glasssubstrate 900. For instance, the electronic component(s) may be thinnedto a thickness of 100-200 μms, or less, with the thickness of theelectronic component depending in part on, for instance, the materialemployed in fabricating the component. As one specific example, asilicon-on-insulator (SOI) component may be thinned to 150 μms, or less,and direct-chip-attached to glass substrate 900. In such aconfiguration, fragmenting of the underlying glass substrate, which mayhave a thickness in the range of the glass enclosure thicknessesdescribed above, ensures physical fragmenting and destruction of theelectronic component(s) as well. In operation, the fragmenting glasssubstrate essentially pulls the electronic component(s) apart in pieces,commensurate with fragmenting of the glass into pieces. Any of variousadhesives which bond well to glass may be employed. For instance, theabove-referenced Henkel Locktite Hysol EA 9360 AERO epoxy adhesive couldbe employed to strongly secure electronic component(s) 910 to glasssubstrate 900.

As noted, by facilitating physical destruction of the electroniccomponent(s) upon detection of a tamper event, persistent memory may beemployed within the secure volume, reducing the need for battery powerto operate a quick erasure of volatile memory, as in prior approaches.

FIG. 10 depicts an alternate implementation of a tamper-proof electronicpackage 500′, which is similar to tamper-proof electronic package 500 ofFIG. 5, with the exception of one or more electronic component(s) 910,as well as a fragmenting trigger element 912 being added to, forinstance, a stressed glass element 520 of glass enclosure 220. As noted,glass enclosure 220 in this example may be formed of a plurality ofstressed glass elements 520 adhesively bonded together. Each stressedglass element 520 may include one or more respective,compressively-stressed surface layers, and together, the plurality ofstressed glass elements 520 define multiple sides of secure volume 201.Stressed glass elements 520 may be adhesively secured together using,for instance, the same structural adhesive used in securing glassenclosure 220 to, for instance, multilayer circuit board 210, which asnoted above, may comprise multiple embedded tamper-respondent sensors300.

Tamper-respondent detector 505 may be provided, comprising monitorcircuitry 501 and multiple sensors 502, with each sensor 502 beingassociated with a respective, stressed glass element 520 (in one or moreembodiments). By way of example, two sensors 502 are depicted in FIG. 10for clarity. In one or more implementations, sensors 502 may be designedor configured to ensure fragmenting of the sensor with fragmenting ofthe attached stressed glass element 520, and thereby detection of thetamper event.

In one or more implementations, each stressed glass element 520comprises, for instance, ion-exchange glass, formed as described above.Where the glass elements are assembled and adhesively secured togetheras depicted in FIG. 10, they form glass enclosure 220 enclosing, forinstance, the electronic devices or elements 202 within secure volume201 of tamper-proof electronic package 500′.

In this implementation, one or more electronic components 910 areadhesively secured to an inner surface of one or more stressed glasselements 520. As noted above, the electronic component(s) 910 are sizedto fragment with fragmenting of the attached glass substrate, orstressed glass element 520. Fragmenting of the stressed glass element520 supporting electronic component(s) 910 may be ensured by alsoattaching fragmenting trigger element 912 to an inner surface of thestressed glass element 520 having electronic component(s) 910 securedthereto. In this way, upon monitor circuitry 501 detecting a tamperevent through, for instance, a different portion of thetamper-respondent electronic package 500′, the monitor circuitry 501 maysignal the trigger element to initiate fragmenting of the stressed glasselement 520 supporting electronic component(s) 910, and thereby physicaldestruction of the electronic component. This advantageously provides adifferent mechanism for destroying confidential information within thesecure volume upon detection of an attempted tamper event into thesecure volume. As illustrated, conductive lines may be provided couplingthe electronic component(s) 910 mounted to the inner surface of stressedglass element 520 to one or more other electronic components or devices202 within secure volume 201. Electronic component thicknesses andexemplary adhesives may be as described above.

FIG. 11 depicts another embodiment of a tamper-proof electronic package700′, in accordance with one or more aspects of the present invention.In this embodiment, the multilayer circuit board of FIG. 9 is replacedby, for instance, a base glass enclosure 701 structurally, adhesivelybonded 702 to glass enclosure 220′, which in this assembly, is an upperglass enclosure. Together, the upper and lower glass enclosures 220′,701 substantially form a 360° glass enclosure about secure volume 201,accommodating the electronic components, including electronic devices orelements 202 to be protected. Base glass enclosure 701 may also comprisestressed glass, with one or more compressively-stressed surface layers,such as described herein. Note that the thickness of the upper and lowerglass enclosures 220′, 701 may be the same or different. As with theembodiment of FIG. 7, tamper-respondent detector 505 is provided and mayinclude monitor circuitry 501 and one or more sensors 502. Depending onthe implementation, sensors 502 may be optionally provided. Whenprovided, one sensor 502 may be associated with upper glass enclosure220′, and in one or more embodiments, another sensor (not shown) may beassociated with base glass enclosure 701, such that an attemptedintrusion event through any portion of the tamper-proof electronicpackage results in a fragmentation of at least the corresponding upperor base glass enclosure, and thereby detection of the tamper event toallow for one or more actions to be taken to protect any confidentialinformation within secure volume 201. Alternatively, in one or moreembodiments, structural adhesive 702 may sufficiently bond upperenclosure 220′ and base glass enclosure 701 such that fragmentation ofone, necessarily results in fragmentation of the other, in which casesensors 502 may be omitted.

In addition to structural adhesive 702, tamper-proof electronic package700′ may include one or more sensors, such as exposed conductive linesor traces on one or both of the upper and base glass enclosures, forinstance, where joined via adhesive 702. Thus, any pulling apart of theadhesive would necessarily result in damage to the conductive trace(s)at the interface, and thereby, detection of an attempted intrusion eventthrough the adhesive. Electrical signals may be provided into or fromthe secure volume 201 via one or more signal lines 703 extendingthrough, for instance, specially-configured exit portals of base glassenclosure 701. For instance, in one or more implementations, Z-shaped,or other angled channels, could be formed in base enclosure 701 throughwhich electrical signal lines 703 may pass. The angled channels may beformed to provide a mechanically-secured egress and ingress ofelectrical signal line 703 from and to secure volume 201.

In this embodiment, one or more electronic component(s) 910 areadhesively secured to an inner surface of one of the enclosures, forinstance, stressed glass enclosure 220′, such that any fragmenting ofstressed glass enclosure 220′ also results in fragmenting of electroniccomponent(s) 910, as described herein. If desired, a fragmenting triggerelement (not shown) could be provided coupled to glass enclosure 220′to, for instance, ensure fragmenting of the upper glass enclosure 220′with an attempted intrusion event through the base glass enclosure 701.

In one or more other embodiments, a multilayer circuit board may beprovided with, for instance, the upper glass enclosure bonding to anupper surface of the multilayer circuit board, and the base glassenclosure bonding to a lower surface of the multilayer circuit board.For instance, the multilayer circuit board and the upper and base glassenclosures could be sized and configured such that the upper glassenclosure bonds to the multilayer circuit board about a periphery of themultilayer circuit board, and the base glass enclosure bonds to thelower surface of the multilayer circuit board about a periphery of themultilayer circuit board. In this configuration, one or moretamper-respondent sensors may be embedded within the multilayer circuitboard about the periphery of the multilayer circuit board, and tied tothe monitor circuitry within the secure volume. For instance, the one ormore tamper-respondent sensors may include at least one peripheraltamper-detect circuit defined, at least in part, by a plurality ofthrough-substrate vias extending through or within the multilayercircuit board, for instance, between the upper and lower surfaces of themultilayer circuit board. The peripheral tamper-detect circuit(s) couldelectrically connect to the monitor circuitry of the tamper-respondentdetector to facilitate defining the secure volume for accommodating theone or more electronic components.

Note also with respect to FIGS. 9-11, that although depicted withreference to a single electronic component 910 being adhesively securedto a glass substrate 900 (FIG. 9), 520 (FIG. 10), 220′ (FIG. 11), thatmultiple electronic components could be adhesively secured to the glasssubstrate. For instance, if more than one persistent memory component isdesired within the secure volume, then the multiple persistent memoriescould be adhesively secured to a common, or different, stressed glasssubstrates designed to fragment, as discussed herein, with detection ofan attempted intrusion event into the secure volume of the tamper-proofelectronic package.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprise” (andany form of comprise, such as “comprises” and “comprising”), “have” (andany form of have, such as “has” and “having”), “include” (and any formof include, such as “includes” and “including”), and “contain” (and anyform contain, such as “contains” and “containing”) are open-endedlinking verbs. As a result, a method or device that “comprises”, “has”,“includes” or “contains” one or more steps or elements possesses thoseone or more steps or elements, but is not limited to possessing onlythose one or more steps or elements. Likewise, a step of a method or anelement of a device that “comprises”, “has”, “includes” or “contains”one or more features possesses those one or more features, but is notlimited to possessing only those one or more features. Furthermore, adevice or structure that is configured in a certain way is configured inat least that way, but may also be configured in ways that are notlisted.

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below, if any, areintended to include any structure, material, or act for performing thefunction in combination with other claimed elements as specificallyclaimed. The description of the present invention has been presented forpurposes of illustration and description, but is not intended to beexhaustive or limited to the invention in the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the invention.The embodiment was chosen and described in order to best explain theprinciples of one or more aspects of the invention and the practicalapplication, and to enable others of ordinary skill in the art tounderstand one or more aspects of the invention for various embodimentswith various modifications as are suited to the particular usecontemplated.

What is claimed is:
 1. A tamper-proof electronic package comprising: aglass substrate, the glass substrate comprising stressed glass with acompressively-stressed surface layer; at least one electronic componentadhesively secured to the glass substrate within a secure volume of thetamper-proof electronic package, the at least one electronic componentcomprising an electronic memory module configured to fragment withfragmenting of the glass substrate; a glass enclosure defining, at leastin part, the secure volume, the glass enclosure comprising stressedglass with a compressively-stressed surface layer, and wherein the glasssubstrate defines a side of the glass enclosure, and the electronicmemory module configured to fragment with fragmenting of the glasssubstrate is adhesively coupled to and covering, in part, an innersurface of the side of the glass enclosure; wherein the glass substratefragments with an attempted intrusion event into the tamper-proofelectronic package, the fragmenting of the glass substrate alsofragmenting the at least one electronic component secured thereto,destroying the at least one electronic component; and wherein the glassenclosure is an upper glass enclosure, and the tamper-proof electronicpackage further comprises a base glass enclosure, the upper glassenclosure and the base glass enclosure being adhesively secured togetherto define the secure volume, and wherein the base glass enclosure alsocomprises stressed glass with a compressively-stressed surface layer. 2.The tamper-proof electronic package of claim 1, wherein the glasssubstrate has undergone ion-exchange processing to provide the stressedglass with the compressively-stressed surface layer.
 3. The tamper-proofelectronic package of claim 1, wherein the compressively-stressedsurface layer of the stressed glass is compressively stressed to ensurethat the stressed glass fragments into glass particles of fragmentationsize less than 1000 μms with the attempted intrusion event.
 4. Thetamper-proof electronic package of claim 1, wherein the electronicmemory module comprises a persistent memory module adhesively secured tothe glass substrate.
 5. The tamper-proof electronic package of claim 1,further comprising: a tamper-respondent detector monitoring for theattempted intrusion event into the secure volume; and a fragmentingtrigger element secured to the glass substrate to trigger fragmentationof the glass substrate with the tamper-respondent detector detecting theattempted intrusion event into the secure volume.
 6. A fabricationmethod comprising: fabricating a tamper-proof electronic package, thefabricating comprising: providing a glass substrate, the glass substratecomprising stressed glass with a compressively-stressed surface layer;adhesively securing at least one electronic component to the glasssubstrate, and the glass substrate being within a secure volume of thetamper-proof electronic package, the at least one electronic componentcomprising an electronic memory module configured to fragment withfragmenting of the glass substrate; providing a glass enclosuredefining, at least in part, the secure volume, the glass enclosurecomprising stressed glass with a compressively-stressed surface layer,and wherein the glass substrate defines a side of the glass enclosure,and the electronic memory module is configured to fragment withfragmenting of the glass substrate being adhesively coupled to andcovering, in part, an inner surface of the side of the glass enclosure;wherein the glass enclosure is an upper glass enclosure, and fabricatingthe tamper-proof electronic package further comprises fabricating a baseglass enclosure, the upper glass enclosure and the base glass enclosurebeing adhesively secured together to define the secure volume, andwherein the base glass enclosure also comprises stressed glass with acompressively-stressed surface layer; and wherein the glass substratefragments with an attempted intrusion event into the secure volume ofthe tamper-proof electronic package, the fragmenting of the glasssubstrate also fragmenting the at least one electronic component securedthereto, destroying the at least one electronic component.
 7. The methodof claim 6, wherein providing the glass substrate comprises machiningthe glass substrate to a desired configuration, and then ion-exchangeprocessing the glass substrate to obtain the stressed glass with thecompressively-stressed surface layer.
 8. The method of claim 6, whereinthe compressively-stressed surface layer of the stressed glass iscompressively stressed to ensure that the stressed glass fragments intoglass particles of fragmentation size less than 1000 μms with theattempted intrusion event.
 9. The method of claim 6, wherein theelectronic memory module comprises a persistent memory module, and themethod comprises adhesively securing the persistent memory module to theglass substrate.
 10. The method of claim 6, further comprising:providing a tamper-respondent detector monitoring for the attemptedintrusion event into the secure volume; and providing a fragmentingtrigger element secured to the glass substrate to trigger fragmentationof the glass substrate with the tamper-responding detector detecting theattempted intrusion event into the secure volume.